Crimeware Pays

Adware, phishing, and spam are a strange--and big--business

As recently as five years ago, online crime--malware, Trojan horses, phishing--was still a kid's game, dominated by grandstanding cliques of hackers. But today, according to new industry studies, ”crimeware” has become an emerging worldwide business. Often based in former Soviet bloc countries like Russia and Romania, where Internet access is high but policing low, burgeoning syndicates regularly launch attacks on users around the world. The first comprehensive analysis of crimeware business models finds a multitude of ways to make money. Of them, phishing is the fastest-growing sector, but adware is the steady moneymaker.

Adware is code secretly installed by a Web site that generates pay-per-click advertising on a user's computer. As frustrated users try to click their way out of a sudden flurry of pop-up ads, each ad's owner must send money to the adware supplier. (Generally, the advertiser is unaware that malicious adware is involved.)

One Russian Web site, iFrameCash.biz, exploited a Microsoft Windows security hole in late 2005, generating thousands or perhaps millions of dollars in adware revenue, notes David Cole, director of consumer products at Symantec, in Cupertino, Calif. Cole coauthored a chapter on crimeware business models in the new book Crimeware: Understanding New Attacks and Defenses (Addison-Wesley Professional) with his Symantec colleague Sourabh Satish. Although Microsoft promptly patched the security hole that iFrameCash took advantage of, many computers around the world remained unpatched and vulnerable for months. A similar attack on MySpace users in 2006, exploiting the same hole, resulted in more than a million infected computers. Cole estimates that each infected computer could net 20 to 30 U.S. cents for the Russian perpetrators.

The fly-by-night nature of the crimeware business makes tracking overall industry revenues difficult, says Cole, although the costs of computer crime are reported annually by the U.S. Federal Bureau of Investigation and the Computer Security Institute, a private membership organization of IT security experts.

According to the 2007 CSI Computer Crime and Security Survey, computer crime is on the rise--costing each CSI member bank, company, or organization an average of US $345 000, up 105 percent from 2006. But those costs are far from those incurred during the boom years of 2001 and 2002, when CSI member organizations (whose firewalls and security measures were still comparatively unsophisticated) reported an average annual loss of $3.1 million and $2.1 million, respectively.

The aggregate revenue generated by computerized fraud and crime, says Ross Anderson, professor of security engineering at the University of Cambridge, in England, is ”surely in the billions of dollars” from the United States alone. And the fastest growing sector, he adds, is phishing--the spam that tries to coax naive users into giving up access to their bank accounts.

The biggest difficulty with phishing, he says, is that banks--the primary targets of phishing eâ''mails--are extremely secretive. And that has left the industry exposed to phishing attacks that could be thwarted with better cooperation between banks' IT departments. In 2006, for instance, UK banks lost £35 million (currently about $68 million) to phishers, but 93 percent of that was from a single attack on Barclays. ”From the point of view of every other bank in 2006, that wasn't their problem,” Anderson says. ”That was Barclays' problem.”

Phishing and adware have straightforward business models, but the crimeware industry has its quirks. For instance, the going rate for access to a good World of Warcraft avatar is $10 or more on Internet black markets, says Cole. On the other hand, he adds, ”You can buy a [real person's] stolen identity for anywhere from $1 to $2. That includes name, social security number, mother's maiden name, address--all the things you need to actually open up a [credit card] account.”

Cole says this pricing disparity reflects the ease and immediacy with which real-world cash can be wrung from the respective stolen goods. Setting up phony credit cards takes effort and exposes the thief to prosecution. On the other hand, rogue World of Warcraft trading Web sites offer quick cash. And no one is likely to complain ”to the FBI that they lost their magic sword to someone in China,” he says.